Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing Yandex StoreDoc users

Written by
Updated at January 22, 2026

You can add and delete users as well as manage their individual settings and database access permissions.

Getting a list of users

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click the name of the cluster you need and select the  Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run this command:

yc managed-mongodb user list \
  --cluster-name <cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.List method, e.g., via the following cURL request:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.List method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. Check the server response to make sure your request was successful.

Creating a user

  1. Go to the folder page.

  2. Go to Yandex StoreDoc.

  3. Click the name of your cluster and open the  Users tab.

  4. Click Create user.

  5. Enter the DB username and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  6. Configure the roles for the user:

    1. Click Add database and select the database where you want to grant a role.
    2. Add roles using .

    You can grant multiple roles to a user in different databases.

  7. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a user in a cluster:

  1. See the description of the CLI command for creating a user:

    yc managed-mongodb user create --help

  2. Specify the user properties in the create command:

    yc managed-mongodb user create <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

    You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<list_of_user_roles>" ]
  }
}

    Where database_name is the name of the DB you want to grant access to.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Create method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                   "<role_1>", "<role_2>", ..., "<role_N>"
                  ]
                }
              ]
            }
          }'

    Where userSpec is the settings for the new database user:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions settings:

      • databaseName: Name of the database to which the user will have access.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For a list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Create method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
              ]   
            }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Create

    Where user_spec is the settings for the new database user:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database to which the user will have access.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For a list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Changing users

  1. Go to the folder page.

  2. Go to Yandex StoreDoc.

  3. Click the name of your cluster and open the  Users tab.

  4. To edit a user password, click in the row with the user you need and select Change password.

    Note

    The password must be from 8 to 128 characters long.

  5. To change the user's roles:

    1. Click in the row with the user you need and select Configure.
    2. To add a role, click next to the appropriate database and select the role.
    3. To delete a role, click next to the role name.

  6. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user's password or list of roles:

  1. See the description of the CLI's update user command:

    yc managed-mongodb user update --help

  2. Specify the user properties in the update command:

    yc managed-mongodb user update <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The password must be from 8 to 128 characters long.

To grant a user access to a database with a defined list of roles:

  1. View a description of the CLI command to grant users permissions:

    yc managed-mongodb user grant-permission --help

  2. Specify the properties of the user in the grant permissions command:

    yc managed-mongodb user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --role <list_of_roles_separated_by_commas>

To revoke user database access:

  1. View a description of the CLI command to revoke users' permissions:

    yc managed-mongodb user revoke-permission --help

  2. Specify the properties of the user in the revoke permissions command:

    yc managed-mongodb user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name>

    This command denies the user all access to the specified database.

You can get the cluster name with the list of clusters in the folder, the DB name, with the list of databases in the cluster, and the user's name, with the list of users in the cluster.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Update the password field value and field values under permission:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<new_password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<new_list_of_user_roles>" ]
  }
}

    Note

    The password must be from 8 to 128 characters long.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
           "updateMask": "password,permissions.databaseName,permissions.roles",
           "password": "<user_password>",
           "permissions": [
             {
               "databaseName": "<DB_name>",
               "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
               ]
             }
           ]
         }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database to which the user will have access.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password",
            "permissions.database_name",
            "permissions.roles"
          ]
        },
        "password": "<user_password>",
        "permissions": [
          {
            "database_name": "<DB_name>",
            "roles": [
              "<role_1>", "<role_2>", ..., "<role_N>"
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Update

    Where:

    • update_mask: Comma-separated string of settings you want to update.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database to which the user will have access.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Deleting a user

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click the name of your cluster and open the  Users tab.
  4. Click in the row with the user you need and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-mongodb user delete <username> \
  --cluster-name <cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Delete the yandex_mdb_mongodb_user resource with the user description.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Delete method, e.g., via the following cURL request:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Delete method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Delete

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Examples

Add a user with read-only permissions

To add a new user2 account with read-only access for the db1 database to an existing cluster:

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click the name of your cluster and open the  Users tab.
  4. Click Create user.
  5. Enter user2 for username and enter a password (from 8 to 128 characters).
  6. Select the db1 database from the Add database drop-down list.
  7. Select the read role from the drop-down list next to the db1 database.
  8. Click Create.

Run this command:

yc managed-mongodb user create user2 \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=db1,role=read

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "user2" {
  cluster_id = <cluster_ID>
  name       = "user2"
  password   = "<password>"
  permission {
    database_name = "db1"
    roles         = [ "read" ]
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Modify user permissions

To grant read-only access to the db2 database to an existing cluster1 user named user1:

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click cluster1 and select the Users tab.
  4. Click in the row with user1 and select Configure.
  5. Click Add database and select db2 as your database.
  6. Click and select the read role from the drop-down list next to the db2 database.
  7. Click Save.

Run this command:

yc managed-mongodb user grant-permission user1 \
  --cluster-name cluster1 \
  --database db2 \
  --role read

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Add the permission section:

    resource "yandex_mdb_mongodb_user" "user1" {
  cluster_id = <cluster_ID>
  name       = "user1"
  password   = "<password>"
  permission {
    database_name = "db2"
    roles         = [ "read" ]
  }
}

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Previous
Managing databases
Next
Managing shards